b"               March 30, 2004\n\n               MEMORANDUM\n               FOR: \t        Acting Mission Director, USAID/Serbia and Montenegro,\n                             William Foerderer\n\n               FROM:         Regional Inspector General/Budapest, Nancy J. Lawton /s/\n\n               SUBJECT:\t     Risk Assessment of USAID/Serbia and Montenegro (Report No.\n                             B-169-04-002-S)\n\n\n               This memorandum is our report on the subject risk assessment. This is not an\n               audit report and does not contain any recommendations for your action.\n\n               Thank you for providing comments to the draft report. Your comments are\n               included in Appendix II of this report.\n\n               I appreciate the cooperation and courtesy extended to my staff during the risk\n               assessment.\n\n\n\n\nBackground \t   The Republic of Serbia and the Republic of Montenegro within the Federal\n               Republic of Yugoslavia (FRY) formed the state union of Serbia and Montenegro\n               on February 4, 2003. Since its transition from an authoritarian to an elected\n               civilian government, the Government of the Federal Republics of Serbia and\n               Montenegro continues to rebuild its government and social institutions, and is\n               attempting to revitalize its economy under challenging political and economic\n               conditions.\n\n               USAID/Serbia and Montenegro consists of a Controller\xe2\x80\x99s Office, an Executive\n               (Administration) Office, and four Program-related Offices:\n\n                   \xe2\x80\xa2\t an Economic Policy and Finance Office responsible for economic policy,\n                      financial system reform, Micro and Small and Medium Enterprise (SME)\n                      finance programs;\n\n\n                                                                                                1\n\n\x0c    \xe2\x80\xa2\t   a General Development Office responsible for community and local\n         development programs;\n\n    \xe2\x80\xa2\t a Democracy and Governance Office responsible for Non-Governmental\n       Organization independent media, political party process and trade union\n       programs; and\n\n    \xe2\x80\xa2\t a Program Office, responsible for the Mission's strategy and for program\n       coordination.\n\nUSAID/Serbia and Montenegro programs and their approximate fiscal year 2001,\n2002 and 2003 funding levels, in millions, are presented in the following table:\n\n                                                   Appropriated Program Funds\n         USAID/Serbia and Montenegro\n                                                 FY 2001    FY 2002     FY 2003\n Economic Policy and Finance Office\n Strategic Objective - 1.3 Accelerated\n                                                     $7.8        $15.5       $25.0\n Development and Growth of Private\n Enterprise\n Democracy and Governance Office\n Strategic Objective - 2.0 - More Effective,\n                                                      0.0          0.0        14.3\n Responsive and Accountable Democratic\n Institutions\n General Development Office\n Strategic Objective - 2.1 - Increased, Better\n                                                     32.1         52.4        53.2\n Informed Citizens\xe2\x80\x99 Participation in Political\n and Economic Decision Making\n Total Appropriated Program Funds                   $39.9        $67.9       $92.5\n\nThe General Accounting Office (GAO) has stated in the Standards for Internal\nControl in the Federal Government that internal controls are an integral\ncomponent of an organization\xe2\x80\x99s management. They should provide reasonable\nassurance that the following objectives are being met: effectiveness and efficiency\nof operations, reliability of financial reporting, and compliance with applicable\nlaws and regulations. GAO has stated that internal control should provide for an\nassessment of the risks the agency faces from both external and internal sources.\nThis survey focused on the risk assessment component of internal controls.\n\nThe purpose of this survey is to identify significant areas of vulnerability within\nUSAID/Serbia and Montenegro\xe2\x80\x99s administrative and program operations and to\nassist RIG/Budapest in planning future audits.\n\nAppendix I contains a discussion of the scope and methodology for this\nassessment.\n\n\n                                                                                 2\n\n\x0cDiscussion   In judging the risk exposure for the offices in USAID/Serbia and Montenegro, we\n             considered:\n\n                \xe2\x80\xa2\t the amount of funding the individual programs received relative to the\n                   overall mission budget,\n\n                \xe2\x80\xa2\t the level of involvement and support provided by the Government of\n                   Serbia and Montenegro,\n\n                \xe2\x80\xa2   the experience of key staff members,\n\n                \xe2\x80\xa2\t the adequacy of written procedures and the level of compliance with\n                   procedures throughout the Mission,\n\n                \xe2\x80\xa2   the adequacy and use of performance standards and internal audits,\n\n                \xe2\x80\xa2\t evidence of consistent implementation of activities that clearly support\n                   program objectives,\n\n                \xe2\x80\xa2\t the adequacy of physical security for the office and controls over its data\n                   systems, equipment and vehicles,\n\n                \xe2\x80\xa2\t the existence of internal controls surrounding the items judgmentally\n                   selected for review, and\n\n                \xe2\x80\xa2\t correction of Mission-identified weaknesses from the Federal Managers\xe2\x80\x99\n                   Financial Integrity Act (FMFIA) report for fiscal year (FY) 2003.\n\n             Our assessment for each program-specific and functional office is described in the\n             following pages.\n\n\n\n\n                                                                                             3\n\n\x0c                Function Description                              Risk Exposure\nEconomic Policy and Finance Office (EPFO): This                     Moderate\noffice is responsible for Strategic Objective 1.3:\nAccelerated Development and Growth of Private\nEnterprise.\n                          Risk Assessment Factors\n\n\xe2\x80\xa2   This area received 27 percent of the Mission\xe2\x80\x99s FY 2003 funding. In addition,\n    total funding has more than tripled in the past three years, from $7.75 million to\n    $25 million.\n\n\xe2\x80\xa2   The instability of the Government of Serbia and Montenegro and the continued\n    incidents of political violence and disputes may limit program success.\n\n\xe2\x80\xa2   While the staff appeared to be knowledgeable about the various institutions,\n    most staff members are relatively new to USAID.\n\n\xe2\x80\xa2   EPFO staff does not always contact the Mission\xe2\x80\x99s Regional Contracting Officer\n    in Budapest of contractual problems. As a result, some contractor issues\n    requiring official clarification or action have not been addressed.\n\n\xe2\x80\xa2   Key implementing partners have resigned, and the critical institutional\n    knowledge that they contributed to the program may be difficult to replace.\n\n\xe2\x80\xa2   Staff clearly understood USAID policies and procedures, although the area\n    covering cognizant technical officer (CTO) responsibilities should be reviewed\n    and clarified regarding certain contract oversight responsibilities.\n\n\xe2\x80\xa2   Implementing partners did not always meet program or administrative objectives\n    resulting in the termination of one contract.\n\n\xe2\x80\xa2   In some cases implementing partners had not received CTO designation letters\n    which identify the appropriate USAID/Serbia and Montenegro staff member\n    providing oversight of their award. Unless roles and responsibilities are clearly\n    defined and understood by all parities, there may be confusion regarding such\n    issues as approval of contractor personnel and other contract administration\n    issues.\n\n\xe2\x80\xa2   The Mission\xe2\x80\x99s Federal Managers\xe2\x80\x99 Financial Integrity Act (FMFIA) report for\n    FY 2003 did not disclose any material weaknesses.\n\n\n\n\n                                                                                    4\n\n\x0c                   Function Description                          Risk Exposure\nDemocracy & Governance Office: This office is                         Low\nresponsible for Strategic Objective 2.0: More Effective,\nResponsive and Accountable Democratic Institutions.\n                             Risk Assessment Factors\n\n\xe2\x80\xa2   FY 2003 budget amount of $14.4 million represents only 14 percent of the\n    Mission\xe2\x80\x99s program budget.\n\n\xe2\x80\xa2   Unresolved ethnic tensions and uncertain future relationships with\n    Montenegro and Kosovo create significant program challenges.\n\n\xe2\x80\xa2   The office is staffed by an experienced team of professionals including a\n    recently-hired Rule of Law advisor.\n\n\xe2\x80\xa2   The office actively monitors program activities.\n\n\xe2\x80\xa2   The office supports numerous individual projects to build democratic\n    institutions through an independent media, impartial courts, free and fair\n    elections, and effective political parties.\n\n\xe2\x80\xa2   The Mission\xe2\x80\x99s FY 2003 FMFIA report did not disclose any material\n    weaknesses.\n\n\n\n                   Function Description                          Risk Exposure\nGeneral Development Office (GDO): This office is                   Moderate\nresponsible for Strategic Objective 2.1: Increased,\nBetter-Informed Citizens\xe2\x80\x99 Participation in Political and\nEconomic Decision-Making.\n                             Risk Assessment Factors\n\n\xe2\x80\xa2   This office received $53.2 million, or 57 percent, of the Mission\xe2\x80\x99s FY2003\n    program funds.\n\n\xe2\x80\xa2   The GDO has high dollar value programs. The combined programs of the\n    Serbian Local Government Reform Program (SLGRP) and the Community\n    Revitalization through Democratic Action (CRDA) have over half of the\n    Mission\xe2\x80\x99s funding. The SLGRP is a three-year project with two, one-year\n    options for a total of $29 million. CRDA is planned as a five-year, $200\n    million program.\n\n\n\n\n                                                                                 5\n\n\x0c\xe2\x80\xa2\t The GDO has very qualified and experienced staff. The manager of GDO has\n   over 15 years experience with USAID. Two of three CTOs have not been\n   certified as CTOs, although one has 13 years experience with USAID and has\n   taken previous CTO courses. The least experienced CTO with only one and a\n   half years\xe2\x80\x99 experience with USAID has taken the CTO training and is\n   certified.\n\n\xe2\x80\xa2\t While there is good acceptance of GDO\xe2\x80\x99s programs by communities and local\n   governments, there is uncertainty about the stability of Serbia and Montenegro\n   including changes resulting from governmental elections.\n\n\xe2\x80\xa2\t The GDO has a small and cohesive staff. Technical contracting issues are\n   passed on to the Regional Contracting Officer for resolution.\n\n\xe2\x80\xa2\t The CRDA program has five implementing partners. Five implementing\n   partners for one program could make it difficult to obtain consistent and\n   meaningful reporting on performance indicators; however, work is currently in\n   progress to address this concern.\n\n\xe2\x80\xa2\t The CRDA program has a monitoring and verification system in place.\n   Implementing partners enter program data as it occurs into a web-based data\n   collection system which can be verified and monitored by staff in four field\n   offices. In addition, CTOs make frequent site visits and communicate with the\n   implementing partners.\n\n\xe2\x80\xa2\t Grantees in the GDO are generally U.S. firms and fall under Office of\n   Management and Budget (OMB) Circular A-133 entitled, \xe2\x80\x9cAudits of States,\n   Local Governments, and Non-Profit Organizations.\xe2\x80\x9d Although USAID/OIG\n   has oversight responsibility, certified or independent public accounting firms\n   perform these audits.\n\n\xe2\x80\xa2\t The Mission\xe2\x80\x99s FY 2003 FMFIA report did not disclose any problems with the\n   GDO.\n\n\n                 Function Description                           Risk Exposure\nProgram Office: This office is responsible for country               Low\nplanning formulation, program development, program\nbudget management, and public awareness of the\nprogram.\n                           Risk Assessment Factors\n\n\xe2\x80\xa2   The office is staffed by an experienced team of professionals.\n\n\n\n\n                                                                                    6\n\n\x0c\xe2\x80\xa2\t The office\xe2\x80\x99s main activities, including the Strategic Plans, Annual Reports,\n   and Congressional Budget Justifications for both Serbia and Montenegro, are\n   subject to several layers of Mission and Washington review.\n\n\xe2\x80\xa2\t The office\xe2\x80\x99s main activities are also subject to USAID/Washington\xe2\x80\x99s detailed\n   annual instructions and published guidance.\n\n\xe2\x80\xa2\t The office in Serbia is responsible for Serbia as well as Montenegro\xe2\x80\x99s\n   Strategic Plan, Annual Report, and Congressional Budget Justification. This\n   requires an ongoing coordination of efforts between the two locations.\n\n\xe2\x80\xa2\t The Mission\xe2\x80\x99s FY 2003 FMFIA report did not disclose any material\n   weaknesses.\n\n\n                      Function Description                        Risk Exposure\n    Executive Office: This office manages administrative            Moderate\n    functions such as personnel management, general\n    services, motor pool, and property management.\n                                 Risk Assessment Factors\n\n\xe2\x80\xa2     While the executive officer (EXO) in Serbia has been with USAID since 1995,\n      the other staff is fairly new to USAID. However, there has been virtually no\n      staff turnover. The Mission has recently hired an EXO to manage\n      administrative functions in the Montenegro Office.\n\xe2\x80\xa2\n      The EXO is responsible for administration and internal management activities\n      of the Mission and must work with numerous laws, regulations and standard\n      operating procedures, including, procurement and local labor laws, State\n      Department regulations for travel and education, funding regulations, and\n      computer security. Such multiple requirements demand significant staff\n      attention.\n\n\xe2\x80\xa2     The Mission\xe2\x80\x99s operating expense budget for FY 03 was $2.6 million. This\n      provides for the basic support of the Mission.\n\n\xe2\x80\xa2     The EXO and her staff appear to be aware of their responsibilities and internal\n      controls. We noted the use of appropriate internal controls related to (1)\n      personnel management, (2) Mission security plan, (3) inventory control, (4)\n      computer access controls and security and (5) motor pool operations.\n      However, we also noted some areas of concern: (1) infrequent monitoring of\n      security logs and (2) no approval or testing of the Emergency Action Plan or\n      Disaster Recovery Plan. Although we did not note any problems with the\n      procurement and receiving functions, the Mission should continue to monitor\n      the overall processes for the acceptance and receipt of goods and services on a\n      regular basis to maintain adequate separation of duties.\n\n\n                                                                                    7\n\n\x0c\xe2\x80\xa2\t The Mission\xe2\x80\x99s FY 2003 FMFIA report disclosed the following weaknesses:\n   (1) risk assessment has not been performed, (2) contingency plan has not been\n   developed, (3) the contingency plan has not been tested and (4) the disaster\n   recovery plan has not been developed.\n\n\n                 Function Description                               Risk Exposure\nController\xe2\x80\x99s Office: This office is responsible for the               Moderate\nfinancial management of the Mission\xe2\x80\x99s programs and\noperations.\n                           Risk Assessment Factors\n\n\xe2\x80\xa2   Although the controller\xe2\x80\x99s functions are divided between Serbia and Montenegro,\n    the controller can provide only limited oversight for operations in the\n    Montenegro office. This may increase the risk that (1) individuals may act\n    outside the scope of their responsibilities, (2) financial reporting may be delayed,\n    and (3) funds violations may occur. The Mission has reported such violations in\n    the past.\n\n\xe2\x80\xa2   Staff appeared to be knowledgeable and experienced relating to job\n    responsibilities, however, most of the staff is relatively new to USAID.\n\n\xe2\x80\xa2   Unannounced cash counts are conducted periodically although the\n    documentation of the results of cash counts are not always maintained at the\n    Mission as required by 4 FAH-3 H 397.1-2, Verification of Funds\xe2\x80\x94General\n    Provisions.\n\n\xe2\x80\xa2   The newly implemented MACSTRAX system allows for real time accounting\n    and processing of vouchers, but all required staff has not been trained to use this\n    system.\n\n\xe2\x80\xa2   The controller\xe2\x80\x99s staff backstop each other for various internal accounting\n    functions. While such a system can improve the efficiency of operations,\n    appropriate staff training and management supervision is needed to ensure that\n    appropriate internal controls, including the separation of duties, are maintained.\n\n\xe2\x80\xa2   The Mission receives a large number of vouchers from local and international\n    vendors; unless vouchers are properly managed, the Mission may be liable for\n    the payment of penalty interest.\n\n\xe2\x80\xa2   Vendors request cash payments which create greater administrative burdens than\n    payments by check or wire transfer.\n\n\n\n\n                                                                                      8\n\n\x0c              \xe2\x80\xa2\t The Mission has experienced problems ensuring the timely collection of funds\n                 owed as required by the Prompt Payment Act. The office now notifies\n                 employees immediately.\n\n              \xe2\x80\xa2    The Mission\xe2\x80\x99s FY 2003 FMFIA report did not disclose any material weaknesses.\n\n\n\n\nConclusion\t   We examined the risk associated with the various aspects of the\n              USAID/Serbia and Montenegro Mission. The table below\n              summarizes the conclusions.\n\n                      USAID/Serbia and Montenegro                    Risk Exposure\n                                   Functions                    High   Moderate    Low\n                  Economic Policy and Finance Office                       9\n                  Democracy and Governance Office                                   9\n                  General Development Office                               9\n                  Program Office                                                    9\n                  Executive Office                                         9\n                  Controller\xe2\x80\x99s Office                                      9\n\n              We believe that much of the risk associated with USAID/Serbia and Montenegro\xe2\x80\x99s\n              program objectives not being met are due to the uncertainty of political and\n              economic reforms. We also found instances where the Mission has appropriately\n              identified and disclosed weaknesses, and taken aggressive action to correct\n              problems. In some cases, however, additional management action and improved\n              procedures are needed to ensure adequate program controls.\n\n              Based on our observations, conversations and limited review of documentation,\n              we are offering the following suggestions for Mission management\xe2\x80\x99s\n              consideration. These suggestions are not formal audit recommendations and do\n              not necessarily represent deficiencies, but involve possible improvements or\n              enhancements to activities which could already be in progress. Specifically:\n\n                   \xe2\x80\xa2\t The Mission should assure that CTOs attend CTO training and\n                      Supervisory CTO\xe2\x80\x99s attend the Supervisory CTO training; and,\n\n                   \xe2\x80\xa2\t The Mission should assure that CTOs and other implementers understand\n                      the scope of CTO responsibilities. We also believe that discussions with\n                      the RCO could help clarify the CTO\xe2\x80\x99s responsibilities and would alleviate\n                      any appearance of an overlap of CTO and RCO responsibilities.\n\n\n\n\n                                                                                                  9\n\n\x0cManagement       USAID/Serbia and Montenegro Mission officials generally agreed with the\nComments and     contents of our risk assessment of some of its operations. In its comments, the\nOur Evaluation   Mission provided two corrections to our background section as well as additional\n                 information on its offices. We have incorporated some of the information in the\n                 final report, where appropriate.\n\n                 The Mission also responded positively to our concluding suggestions on CTO\n                 training and responsibilities and discussions with the RCO.\n\n                 The full text of USAID/Serbia and Montenegro\xe2\x80\x99s comments is included as\n                 Appendix II to this report.\n\n\n\n\n                                                                                              10\n\n\x0c                                                                                    Appendix I\n\n\nScope and     Scope\nMethodology\n              The Regional Inspector General/Budapest conducted this risk assessment to gain\n              an understanding of the programs and activities of USAID/Serbia and\n              Montenegro. This was not an audit and does not contain any formal\n              recommendations. The risk assessment was conducted at USAID/Serbia and\n              Montenegro (Serbia) from October 6\xe2\x80\x9324, 2003. To date there has been no\n              program audits in Serbia and Montenegro, thus, the purpose of this assessment\n              was to identify the more significant areas of vulnerability within USAID/Serbia\n              and Montenegro\xe2\x80\x99s administrative and program operations and to assist\n              RIG/Budapest in planning program audits for fiscal year 2005 and beyond.\n\n              The risk assessment focused primarily on fiscal years (FY) 2003 and 2004 data\n              and, as necessary, data from previous years. USAID/Serbia and Montenegro has\n              never been subjected to review by RIG/Budapest, As a result, our period of\n              review also covered various transactions since the start of the Mission during\n              calendar year 2000.\n\n              Methodology\n\n              To perform this risk assessment, we interviewed USAID/Serbia and Montenegro\n              personnel and examined documentation to obtain an understanding of the\n              Mission\xe2\x80\x99s objectives, programs and activities. We assessed selected controls at the\n              Mission and the Strategic Objective (SO) team levels to determine if they were\n              adequate and working as designed. We also interviewed the personnel of the\n              implementing partners for some of these activities to obtain an understanding of\n              the program and internal controls. We judged risk exposure by considering the\n              likelihood of: significant abuse, illegal acts, and/or misuse of resources, failure to\n              achieve program objectives, noncompliance with laws, regulations and internal\n              policies. We assessed overall risk exposure as low, moderate, or high. A higher\n              risk exposure simply indicated that the particular function is more vulnerable to\n              not achieving its program objectives or to experiencing irregularities.\n\n              Our overall risk assessments did not make definitive determinations of the\n              effectiveness of internal controls. As a part of the scope of our review, we (a)\n              identified a judgmental sample of transactions, (b) obtained an understanding of\n              the components of the internal controls related to the relevant sample selected,\n              and (c) assessed what was already known about the internal controls. Also it\n              should be noted, we did not (a) assess the adequacy of the internal control design,\n              (b) determine if controls were properly implemented, or (c) determine if\n              transactions were properly documented.\n\n\n\n                                                                                                 11\n\n\x0cOur risk assessment of USAID/Serbia and Montenegro considered the following\nlimitations:\n\n   \xe2\x80\xa2\t Higher risk exposure assessments are not definitive indicators that\n      program objectives were not being achieved or that irregularities were\n      occurring. A higher risk exposure simply implies that the particular\n      function is more vulnerable to the occurrence of such events.\n\n   \xe2\x80\xa2\t Comparison of risk exposure assessments between organizational units\n      and implementing partners is of limited usefulness due to the fact that the\n      assessments consider both internal and external factors, some being\n      outside the span of control of management.\n\n   \xe2\x80\xa2\t Risk exposure assessments in isolation are not an indicator of\n      management\xe2\x80\x99s capabilities due to the fact that the assessments consider\n      both internal and external factors, some being outside the span of control\n      of management.\n\nWe judgmentally determined a risk level of low, moderate, or high for the\nMission\xe2\x80\x99s various programs and offices. The final assignment of the risk level to\nan office was judgmentally determined considering the external factors which\ncould have had an effect on the programs in some cases. We also assessed how\nsufficiently we believed the strategic objectives (including implementing partners)\nor the offices had met the prescribed regulations, operating guidelines and internal\ncontrol procedures in its program, financial, accounting and administrative\nmanagement.\n\n\n\n\n                                                                                 12\n\n\x0c                                                                                                        Appendix II\n\nManagement\nComments\n\n\n                      UNITED STATES AGENCY FOR INTERNATIONAL DEVELOPMENT\n\n                      Serbia and Montenegro \n\n                      American Embassy, Belgrade \n\n\n\n\n\nMEMORANDUM\n\nTO:                       Nancy Lawton, RIG/ Budapest\n\nFROM:                     William S. Foerderer, Acting Mission Director\n\nDATE:                      March 11, 2004\n\nSUBJECT:            Draft Report on the Risk Assessment of USAID Serbia and\n                    Montenegro\n_____________________________________________________________________\n       The Mission Management reviewed the subject draft report and generally agrees with its content.\nFollowing are Mission comments on several sections of the draft report and the suggestions offered.\n        The Mission recommends two changes in the Background section to correctly state the name of the\ncountry and clarify its recent history:\n      1.\t The 2003 Constitutional Charter of Serbia and Montenegro adopted the name of the State Union of\n          Serbia and Montenegro.\n      2.\t There was no military government, rather the country transitioned from the semi-authoritarian\n          Milosevic-led government to a democratically oriented government in late 2000.\n\nCOMMENTS RECEIVED FROM THE ECONOMIC POLICY AND FINANCE OFFICE (EPFO):\n\n      \xe2\x80\xa2\t The EPFO notes that SO 1.3, as originally conceived, was to receive $30 million per year. Since 2001,\n         this SO received significantly less than the planning levels with only 2003 approaching the $30 million\n         threshold. So, while it is true that SO 1.3 funding increased significantly between 2001 and 2003,\n         systems and procedures are in place to accommodate anticipated annual funding greater than what has\n         been received.\n      \xe2\x80\xa2\t FSN and expatriate staff have significant experience in their respective fields of banking, commercial\n         law and small and medium enterprise development, thus their knowledge of host country institutions is\n         extremely comprehensive. Although Foreign Service National staff in the EPFO are relatively new to\n         the Agency, all professional staff are certified Cognizant Technical Officers having successfully\n         completed the requisite courses in 2001 and 2002. Support staff received appropriate training in files\n         management, and took the Planning, Achieving, Learning (PAL) course providing an overview of\n         USAID systems and the budget processes.\n\n\n\n                                                                                                                   13\n\n\x0c  \xe2\x80\xa2\t CTOs are in regular contact with the Regional Contracting Officer, and engage the RCO in all matters of\n     contract and cooperative agreement management. These initiatives successfully remedied issues in a\n     timely and efficient manner.\n  \xe2\x80\xa2\t The EPFO has seven awards instrument and one tender. With only one exception, there has been\n     continuity and stability in the staffing of each. In one instance, a project endured significant staff\n     turnover and the RCO has been intimately engaged in resolving this matter to the satisfaction of the\n     Mission.\n  \xe2\x80\xa2\t Professional and support staff received appropriate general and specific training related to USAID\n     systems and procedures, acquisition and administration. Additional training will be scheduled as a part\n     of the regular process of skills building and staff strengthening.\n\nCOMMENTS RECEIVED FROM THE GENERAL DEVELOPMENT OFFICE (GDO):\n  \xe2\x80\xa2\t In response to the lack of CTO training mentioned in the report, the GDO took action to ensure that\n     all CTOs will attend training this year. The Office Director completed the Supervisory CTO\n     courses in February, 2004, and is certified. The two uncertified CTO\xe2\x80\x99s are scheduled to take the\n     CTO training in April and August, respectively. Additionally, a senior Foreign Service National\n     staff member will be enrolled in the CTO courses this fiscal year. Hence, by the end of fiscal year\n     2004, the GDO will have five certified CTOs.\n\n\nCOMMENTS RECEIVED FROM THE EXECUTIVE OFFICE:\n\n  \xe2\x80\xa2\t The EXO and her staff appear to be aware of their responsibilities and internal controls. We noted\n     the use of appropriate internal controls related to (1) personnel management, (2) Mission security\n     plan, (3) inventory control, (4) computer access controls and security, and (5) motor pool\n     operations. However, we also noted some areas of concern: (1) infrequent monitoring of security\n     logs, (2) weak separation of duties between the procurement assistant and the receiving clerk, and,\n     (3) no approval or testing of the Emergency Action Plan or Disaster Recovery Plan.\n\n  Areas of concern:\n\n  (1) infrequent monitoring of security logs,\n\n  When USAID migrated to Windows 2000, it moved most of the security monitoring functions back to\n  IRM in Washington. The EXO/ISSO requested guidance from the AGENCY/ISSO on what monitoring\n  needed to be done. None was provided. The Executive Officer has asked for guidance again and, when\n  received, will set up a schedule for monitoring.\n\n  The Mission Systems Manager monitors security logs. He examines the Security Logs under the event\n  viewer on a weekly basis. The audit logs of the USAID.YU website server, hosted externally, are also\n  monitored by him. Finally, the Assistant Systems Manager reviews the Antivirus Definitions Log daily\n  to update antivirus protections and see what events occurred.\n\n  (2) weak separation of duties between the procurement assistant and the receiving clerk,\n\n  As per telephone discussions between D/RIG Jacqueline Bell, Auditors Gardenia Franklin and Gweneth\n  Hughes, TDY RSC/RMSO Executive Officer Jerry Nell and myself on March 8, we believe there is\n  adequate separation of duties.\n\n\n\n\n                                                                                                               14\n\n\x0cAccording to Gweneth Hughes, who assessed the EXO operations, the Procurement Agent stated that he\n\xe2\x80\x9creceives\xe2\x80\x9d goods from vendors and thus there is a risk because the person ordering the goods also\n\xe2\x80\x9creceives\xe2\x80\x9d the goods. However, the receiving function is not executed by the Procurement Agent, rather,\nhe performs the acceptance function for locally procured goods.\n\nGoods are \xe2\x80\x9cordered\xe2\x80\x9d by the Executive Officer and other Mission staff. Staff place orders via the\nProcurement Request function of EXOAPPS (an electronic Executive Office management program).\nThe request must be approved by the Executive Officer. Once approved, it is forwarded to the\nProcurement Agent who identifies vendors and competes the procurement per FAR/AIDAR regulations.\nFor more complex procurements, the Procurement Agent works with the Executive Officer who provides\nguidance. Depending on cost, procurements are effected either by Petty Cash or with a Purchase\nOrder/Contract. The Procurement Agent prepares the Purchase Orders/Contracts which are reviewed by\nthe Executive Officer (including Memorandums of Negotiation), scrutinized and funds reserved by the\nController\xe2\x80\x99s Office, and finally signed by the Executive Officer. The Procurement Agent is responsible\nfor all interactions with vendors from the time when quotes are requested through the delivery of goods\nto USAID. This includes following up on delivery dates, shipping problems, as well as ensuring that\ninvoices are received.\n\nWhen the Procurement Agent accepts the goods from local vendors, he verifies that they match the\ngoods ordered and then turns them over Property/Receiving Clerk who officially receives them. We do\nnot want the Property/Receiving Clerk to be interacting directly with vendors since this would allow for\nan even greater risk since that individual could claim that goods were \xe2\x80\x9creceived\xe2\x80\x9d, control the receiving\nrecords, and have no other party between the vendor and the receiving function.\n\nThe Property/Receiving Clerk receiving function includes matching the goods ordered with the\nprocurement documents and preparing receiving reports. Completed receiving reports are handed over\nto the GSO for entry into the NXP Bar Scan data base for non-expendables, into stock control cards for\nexpendable items, or delivered to the requestor for special order items. Invoices are not paid until the\nProperty/Receiving Clerk, or person ordering the goods or services, verifies their receipt. In this manner,\nthe Procurement Agent can not claim that goods have been received and process the invoices without\nverification of another person as well as a review by the Executive Officer.\n\n(3) no approval or testing of the Emergency Action Plan or Disaster Recovery Plan.\n\nThe Emergency Action and Disaster Recovery Plans are in process and all testing, etc. should be\ncompleted within one month from this response.\n\n\n\xe2\x80\x9cThe Mission\xe2\x80\x99s Federal Managers\xe2\x80\x99 Financial Integrity Act (FMFIA) report for FY 2003 disclosed the\nfollowing weaknesses: (1) risk assessment has not been performed, (2) contingency plan has not been\ndeveloped, (3) the contingency plan has not been tested, and, (4) the disaster recovery plan has not been\ndeveloped.\xe2\x80\x9d\n\nThe following are updates of the FMFIA FY2003 report:\n\n(1) risk assessment has not been performed,\n\nAs discussed with Gweneth Hughes, an assessment by RSC/RMSO Executive Officers was requested\nlast fall. The assessment is currently underway and will be completed by March 26th. It should also be\nnoted that having an assessment prior to this time was not practical since the Mission was in the start-up\nphase.\n\n\n\n                                                                                                              15\n\n\x0c   (2) contingency plan has not been developed, (3) the contingency plan has not been tested, and, (4) the\n   disaster recovery plan has not been developed.\n\n   The contingency plan is comprised of the Emergency Action and Disaster Recovery Plans. As stated\n   above, it is being developed and will be tested shortly.\n\n\nCOMMENTS RECEIVED FROM THE CONTROLLER\xe2\x80\x99S OFFICE:\n   \xe2\x80\xa2\t The Mission disagrees with the statement in the Controller\xe2\x80\x99s Office assessment that \xe2\x80\x9c\xe2\x80\xa6the results of\n      cash counts are not always documented.\xe2\x80\x9d 4 FAH-3 H-397.1-2, Verification of Funds\xe2\x80\x94General\n      Provisions, requires a monthly, surprise cash count which is documented, signed and dated by all\n      parties, and sent to the servicing United States Disbursing Officer. Noncompliance with this\n      regulation will result in the discontinuance of the cashier operations. The Mission is in compliance\n      with the cash count and reporting requirements and will make all requisite documents available at\n      the RIG\xe2\x80\x99s request.\n   \xe2\x80\xa2\t The Controller\xe2\x80\x99s Office Assessment states that \xe2\x80\x9c\xe2\x80\xa6all required staff have not been trained to use this\n      system.\xe2\x80\x9d The Mission notes that all Controller\xe2\x80\x99s Office staff members, with the exception of the\n      newly-hired Voucher Examiner, were trained to use either MACS or MACSTRAX, depending on\n      their positions, at the time of the Team\xe2\x80\x99s visit. Since then, the Voucher Examiner has been fully\n      trained.\n\n\nMISSION\xe2\x80\x99S COMMENTS IN RESPONSE TO THE SUGGESTIONS GIVEN IN THE DRAFT\nREPORT:\n\n\n   \xe2\x80\xa2\t The USAID/Serbia and Montenegro Mission reopened in early 2001, and new staff, both expatriate and\n      Foreign Service National, have been recruited since that time. All staff is receiving appropriate and\n      relevant training, including that which is related to CTO functions and responsibilities. Professional\n      project management staff have been certified as CTOs as expeditiously as possible and practicable.\n      Supervisory CTO training has been scheduled since the conduct of the RIG\xe2\x80\x99s Assessment, and relevant\n      staff has commenced taking this advanced level of training. Staff joining the Mission in 2004 will\n      similarly be scheduled for Supervisory training at the earliest possible time.\n   \xe2\x80\xa2\t The Mission will continue to support CTO and Supervisory CTO training for all relevant and\n      appropriate staff. The Mission will continue to work closely with the RCO to ensure that duties and\n      responsibilities are appropriately and efficiently dispatched.\n   \xe2\x80\xa2\t USAID/Serbia and Montenegro will continue to work closely and cooperatively with the RCO in order\n      to ensure that roles and responsibilities are clearly defined. In addition to the review of the authorities\n      delegated to CTOs in the CTO designation letters that are in place for each project, and which are on\n      file, the Mission will ensure that all elements of these letters are heeded and not exceeded.\n\n\n\n    Thank you for taking the time to conduct this assessment. The Mission is committed to reducing risk\nand appreciates the efforts made by your Assessment Team toward helping the Mission achieve this goal.\n   Please do not hesitate to contact me or my staff if you need additional information to finalize this report.\n\n\n\n\n                                                                                                                    16\n\n\x0c"